Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jose Luis Domingo Lopez <linux-lvm@24x7linux.com>]

On Friday, 18 October 2002, at 09:24:03 +0200,
Jon Bendtsen wrote:

> Jos� Luis Domingo L�pez wrote:
> > I haven't tried, but wouldn't it be possible to just take a snapshots
> > from a LV containing an encrypted filesystem, and then loop-mount it
> > (assuming encrypted via the loop device), give the password, and then
> > backup ?
> 
Well, I finally got to work, and made some test, as promised... And it
seems to work !. A list of commands used (and explanations) follows:

# First, create a test LV
# lvcreate --size 350M --name Test Group00
# Now, bind a loop device to the newly created LV (choose a password)...
# losetup -e blowfish /dev/loop0 /dev/Group00/Test
# ...and make a filesystem on the loop device (so it is encrypted in the LV)
# mke2fs /dev/loop0
# Detach the LV from the loop device...
# losetup -d /dev/loop0
# ...create a test mountpoint...
# mkdir /tmp/test
# ...and finally mount the encrypted FS (over a LV, passwprd needed)
# mount -t ext2 -o loop,encryption=blowfish /dev/Group00/Test /tmp/test

# Nothing fancy by now, just an encrypted filesystem, thanks to
# "loop-aes", but instead of using a partition, a simple test LV
# Now do whatever you want with this flashing new filesystem, for
# example, copy some files to it, so you have something to backup :-)

# Let's create a snapshot LV from the otriginal test LV
# lvcreate --size 50M --snapshot --name EncryptedSnapshot /dev/Group00/Test
# Make a directory to (hopefully) mount the encrypted volume
# mkdir /tmp/encryptedsnapshot
# And now, try to mount the snapshot volume. I don't know the details,
# but it seems by default the snapshot is read-only (don't know if you
# can change this with "lvchange"). So a "ro" argument to "mount" is 
# needed (you will need to supply the password chosen before).
# mount -t ext2 -o ro,loop,encryption=blowfish /dev/Group00/EncryptedSnapshot /tmp/encryptedsnapshot/
# Now you can backup from the snapshot volume, and then unmount...
# umount /tmp/encryptedsnapshot
# ...and be done with this snapshot...
# lvremove /dev/Grupo00/EncryptedSnapshot


As said in my first post to this thread, the encryption layer is
provided by loop-aes (loop-aes.sourceforge.net), which is easy to setup
and is quite well documented (except for one little but annoying detail:
instead of "AES", the algorithm is called "rijndael", otherwise "loop"
complains loudly about an "unknown algorithm type").

Hope this helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)